Hi,I'm having trouble with permissions and ownership on a fedora28 system with apache-2.4 and joomla-3.9. I'd like to be able to have only the minimal number of files necessary to be owned by apache and have an ssh/sftp user have access to read and write every file in the document root.
I'm trying to address three issues: - Provide ability for ssh/sftp users to write files within the document root - Provide apache with only the minimal ability necessary to write/delete files, while not being restricted from reading.- Provide joomla with the ability to write and access files as part of its normal operation
I've loaded mod_suexec and enabled it with "Suexec on" and configured SuexecUserGroup to the name of the ssh/sftp user:
SuexecUserGroup ftpuser ftpuserI understood this to mean that, while apache is running as user "apache", any writes to the document root would be made as "ftpuser", but that does not appear to be the case.
Installing joomla modules still fails because it can't write to some core joomla directories such as ./administrator/cache.
What is the solution to restrict write access by apache to reduce the chances of some kind of privilege escalation attack should there be an apache vulnerability, yet provide regular ftp/sftp users with the ability to write changes as well as joomla itself have the ability to operate?
Thanks, Dave --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx